A Guide to Incident Response with Automation in Resilience Management

Introduction

From natural disasters to cyberattacks to IT incidents, the number of critical events organizations face today is increasing. The BCI Emergency & Crisis Communications Report 2024, for instance, charts a staggering 30.6% surge in the number of organizations requiring activation of their crisis plans between one and five times a year between the years 2015 and 2025. And, according to the same report, nearly 65% of organizations had to activate their plans between one and five times in the last year, up from 60% in 2023.

The rise of complex incidents

This trendline, bespeaking a sharp uptake in the number of incidents, is alarming in and of itself. But it’s hardly the end of the story. Besides becoming more frequent, crises are becoming more complex, too.

This theme has been picked up by resilience experts. Deputy Coordinator General at the National Emergency Management Agency (NEMA) in Australia, Joe Buffone has discussed the rise of “more frequent, more intense and more complex emergencies,” necessitating “much quicker responses.”ⁱ

The important of execution speed in incident response

Indeed, speed in incident response has always been essential to protecting a company’s reputation, minimize damage, and ensure resiliency. Of course, speed, as incident responders well know, is never guaranteed, especially organizational speed during complex incidents.

Writing in the MIT Sloan Management Review, business experts Bernadine J. Dykes, Margaret Hughes-Morgan, Kalin D. Kolev, and Walter J. Ferrier highlight execution speed as one of the critical components of organizational speed in a complex crisis.ⁱⁱ Execution speed, here, refers to how quickly resources, people, and/or processes are mobilized to support an action.ⁱⁱⁱ

A traditional measure of execution speed in incident response is the time it takes to activate plans. Sixty minutes or less has long been considered the “golden hour,” during which organizations must activate plans to ensure incident success. For context, historic data reveals more than a quarter of crises are picked up by international media outlets within the golden hour.^iv

Activation speed hasn’t kept up with the pace of incidents.

Research from the BCI shows that a majority of plan activations now fit within that golden hour. However, with crises themselves becoming more complex, putting an even greater premium on faster execution speeds, it’s fair to ask whether plan activation speeds have kept up with a threat environment now demanding automatic activation? Here, the data suggests no.

According to the BCI, a mere 22.9% of organizations take five minutes or fewer to activate their plans, with a paltry 2.9% taking zero minutes.

Meanwhile, approximately 57.9% take anywhere between five minutes and a full hour, with an additional 14.7% taking from one to five hours.

What’s worse, trendlines are heading in the wrong direction. The number of organizations able to respond within 30 minutes or less has fallen slightly to 67.7%, down from 73.1% in 2023. Similarly, 27% of respondents could activate plans within five minutes in 2023; in 2024, that percentage fell to 22.9%.

What’s behind the falling numbers? Analysts surmise that the increasingly complex nature of crises is one of the culprits.

How to cut down activation time and accelerate incident response

When every moment counts, such as it does during a disruption, what can be done to cut down activation times and accelerate incident response?

For their part, analysts have concluded that there’s a significant time-saving advantage to be gained from using formal, digital tools.

For instance, a quarter of organizations using an emergency communication tool are able to activate their plan within five minutes as opposed to 17% of those not using an emergency communication tool. Similarly, nearly three quarters of organizations using emergency communication tools are able to activate plans within 30 minutes as opposed to only 57.6% not using emergency communication tool.  

Incident response automation to cut down activation times

But what’s the software capability that lowers activation times? One of the most important is incident response automation.

Broadly speaking, incident response automation uses rule-driven logic to:

• Automatically analyze and correlate data from different sources to identify and triage incidents that threaten an organization’s resilience
• Automatically complete routine, standardized tasks to expedite the incident response process and increase response efficiency and effectiveness

The benefits of incident response automation

Why automation, though? Automation is key in that it helps to remove a common pain point in incident response, i.e., the human element.

The human factor in the completion of routine tasks associated with an incident, e.g., manually establishing which recovery strategies or plans and playbooks should be activated based on what’s been impacted during an incident, is often cited as a barrier to higher response rates.^v

What then are the complete list of benefits of incident response automation? They include the following:

Faster response times

Automated incident response can significantly reduce response times in critical situations. Instead of manually assessing and initiating the appropriate response, the system can do it instantly.

Risk mitigation

As a result, automating incident response can also help reduce the risk of human delays, errors, or oversights that could lead to more severe consequences during an incident.

Greater peace of mind

Knowing that incident plans will be activated promptly and correctly can provide peace of mind to employees, executives, and other stakeholders, thereby enhancing overall confidence in the organization’s preparedness.

Support for complex scenarios

There’s a clear trend toward increasingly complex incidents involving multiple interrelated factors. Here, automation can help manage these complex scenarios by considering a wide range of data inputs and conditions.

Customization and flexibility

Specific components or features within the incident response capability can be tailored to an organization’s specific needs and requirements, thereby ensuring that the functionality adapts to unique incident scenarios and industries (See more below).

Incident response automation capabilities to consider

What incident response automation capabilities to consider specifically? Third-party software analysts point to the clear ROI to be gained from resilience management platforms that solve multiple use cases in an integrated manner, therefore providing value beyond just crisis management. The same logic applies to incident response automation capabilities within these platforms that provide value for multiple solution areas.

Which solution areas and associated functionality should organizations consider?

For Business Continuity and Operational Resilience, we recommend:

• Functionality that lets you define your recovery strategies and their associated plans and playbooks. These can then be associated with your Critical Products and Services and Prioritized Activities.
• A platform that during an incident, based on what you have defined as being impacted, automatically suggests the recovery strategies that need to be activated based on the impacts of the incident.
• Functionality that once your recovery strategy is activated, automatically adds associated plans and checklists to the incident for you.

For Crisis and Incident Management, we recommended:

• A Plan Categories feature that allows you to give plans a specific category.
• Based on that category and an associated workflow node, you will be able to automate any disruption scenario to pull through the correct plan automatically to the incident for you.

How would the latter work? Consider the following. Your organization has a specific plan that must always be activated whenever there’s an Information Breach/Loss. The automated incident response functionality described above empowers you to give this plan a category of “Information Breach/Loss.” From there, a workflow can be configured for when an incident is activated for the incident type “Information Breach / Loss,” and then the plan can automatically be added to the incident.

Smarter incident management with Noggin

Of course, not all software touting incident management automation capabilities is created equal. Noggin’s integrated resilience workspace, for one, seamlessly unifies operational risk management, third party risk management, operational resilience, business continuity, security operations, crisis and incident management, and emergency management.

On the incident management front, specifically, the platform enables organizations to effectively prepare for and manage disruption by managing all recovery strategies as well as plans and playbooks in one centralized location. This level of centralization facilitates standardization of response plan templates, protocols, and guidelines, ensuring easy access, enhanced coordination, and reduced risk of critical information being missed.

Finally, effective incident response, as we’ve argued in this article, is non-negotiable in today’s fast-evolving digital and risk landscapes. That’s why Noggin has harnessed the power of automation and intelligence to revolutionize how organization’s plans and playbooks are activated when disruptions strike.

Noggin’s cutting-edge automation improves incident response in real-time. To sum up, suggested recovery strategies and automatically activated plans not only reduce the time required to assess the situation and determine the most suitable plans but also accelerate your response time, enabling you to mitigate potential harm, and protect your organization from adverse consequences.

But don’t just take our word for it. Request a demo with our product specialists to learn more about how Noggin is transforming incident response through automation.

Sources

i Lily Stokes, Public Sector Network: Using technology to increase resilience and coordinate response in times of crisis. Available at https://publicsectornetwork.com/insight/article-technology-increase-resilience-coordinate-response-time-of-crisis/.

ii Bernadine J. Dykes et al, MIT Sloan Management Review: Responding to Crises With Speed and Agility. Available at https://sloanreview.mit.edu/article/responding-to-crises-with-speed-and-agility/.

iii Ibid.

iv Freshfields Bruckhaus Deringer: Containing a crisis Dealing with corporate disasters in the digital age. Available at https://www.freshfields.com/49fabb/globalassets/campaign-landing/cyber-security/containing-a-crisis.pdf.

v The BCI: BCI Emergency & Crisis Communications Report 2024. Available at https://www.thebci.org/resource/bci-emergency---crisis-communications-report-2024.html.